Exam PCNSE topic 1 question 606 discussion

Actual exam question from Palo Alto Networks's PCNSE

Question #: 606
Topic #: 1

A firewall engineer creates a source NAT rule to allow the company’s internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.

Which set of steps should the engineer take to accomplish this objective?

A. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32.
2. Check the box for negate option to negate this IP from the NAT translation.
B. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23.
2. Check the box for negate option to negate this IP subnet from NAT translation.
C. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.
2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.
3. Place (NAT-Rule-2) above (NAT-Rule-1).
D. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.
2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.
3. Place (NAT-Rule-1) above (NAT-Rule-2).

Show Suggested Answer

Suggested Answer: C 🗳️

by Thunnu at March 28, 2024, 9:40 a.m.

Comments

Submit Cancel

krzyb

8 months, 3 weeks ago

None of the answers is correct. A & B talks about the "negate" option which is not available for NAT rules. C & D refers to invalid subnet 10.0.0/23 (only 3 octets). With a source like this, you cannot even save the rule. "We will not check your knowledge, we will make you confused" type of question.

upvoted 1 times